* John (EBo) David (ebo@eagle.west.asu.edu) wrote:
> "John (EBo) David" wrote:
> > 
> > I was updating an HTTPD code red log filter to also automatically report
> > nimba and other attacks happening in my domain.  I just noticed a rather
> > disturbing pattern in the dates/names...
> 
> I think I figured it out.  If my guess is right, the HTTPD opens the
> error log once and caches the file/stream pointer.  When I rename the
> file the inode is not changed, just the file name in the directory.  So,
> the errors keep getting dumped in the error_log_DATE file and my filter
> has been checking against the new empty error_log file...
> 
> Does this sound like a reasonable scenerio to those HTTPD guru's out
> there?  If so, I know how to fix the problem, just have to rewrite the
> script...

OK, this one I know.  I believe you have to stop httpd, _then_ move the file,
then fire it back up!

Gontran